Blog | PowerShell Security Best Practices

Threat actors have long since used legitimate tools to infiltrate and laterally move across defender’s networks. The reasons for this are clear; the likelihood of being detected is much lower when authorized tools are leveraged instead of malicious tools that might trigger prevention or detection controls. PowerShell attributes have also made it attractive to adversaries, having been used most recently in the Petya/NotPetya campaign. In this blog, we will cover some PowerShell best practices that will prepare you for adversaries who will use your own PowerShell implementation against you.

WHAT IS POWERSHELL?

PowerShell is an automation platform and scripting language for Microsoft Windows and Windows Server, which allows you to simplify your system management. Unlike other text-based shells, PowerShell harnesses the power ofMicrosoft’s .NET Framework, providing rich objects and a massive set of built-in functions to take control of your Windows environments.

WHY POWERSHELL?

PowerShell has been used heavily for cyber attacks, especially recently during the Petya/NotPetya campaigns. The most important aspect for attackers is its native integration with the .NET Framework, which offers multiple options for infecting or manipulating the target.

PowerShell was initially mentioned as an attack platform in 2010 (https://www.youtube.com/watch?v=JKlVONfD53w), when it was presented at Def Con 18 as proof of concept. Both a bind and reverse shell programmed purely in PowerShell were demonstrated in the same context.

There are numerous attack tools – likeNishang,PowerSploit, and PowerShell Empire platform (www.PowerShellempire[.]com) – that offer a post-exploitation agent built on cryptological communications. These tools can be used for reconnaissance, persistence, and lateral movement, as well as other offensive techniques. Of course, given its native capabilities, PowerShell can be programmed in multiple ways, providing custom tools and techniques to remain stealthy and undetected by common security controls and countermeasures.

Adversarial Tactics, Techniques & Common Knowledge, orATT&CK by Mitre, which provides an extensive list of attack vectors, tactics, and techniques, describes PowerShell as a powerful interface that adversaries can use to perform a variety of actions, and provides real-world examples.

POWERSHELL SECURITY BEST PRACTICES

Given that PowerShell cannot be disabled or removed from organizations that require it, the following actions are the recommended best practices to use PowerShell efficiently while preventing its use as an attack vector.

1. PSLockDownPolicy And PowerShell Constrained Language Mode

Constrained language modelimits the capability of PowerShell to base functionality, removing advanced feature support, such as .NET and Windows API calls and COM access. This lack of advanced functionality stops most PowerShell attack tools, because they rely on these methods. However, in enterprise environments it can negatively affect legitimate scripts; thus it is highly recommended to schedule a testing period before activating this option, to filter out the legitimately used code.
Enable Constrained Language Mode:[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)

System-wide transcripts. System-wide transcription can be enabled via Group Policy and provides an “over the shoulder” transcript file of every PowerShell command and code block executed on a system by every user on that system.

Antimalware integration (Windows 10).The newWindows 10 Antimalware Scan Interface(AMSI) enables all the scripting engines (PowerShell, VBScript, and JScript) to request analysis of dynamic content: from a script file, typed commands at the command line, and even code downloaded and executed in memory. This enables scanning of PowerShell code before it is executed on the computer.

In addition, using Applocker to block executables from unwanted user locations will provide better control.

Device Guard which is also applicable on Windows 10 and Windows Server 2016 can be used to enforce constrained language mode and application whitelisting by leveraging advanced hardware features where supported. (https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)

3. Logging PowerShell Activity

PowerShell logging can be enabled via Group Policy for PowerShell modules:

For obfuscated PowerShell, custom rules should be developed. For example:

Look for lots of brackets { }

Look for lots of quote marks ‘ ”

Both of these are heavily used in obfuscation techniques and usually are not used by legitimate software or normal administrators.

4. Remove PowerShell V.2

It is obvious that the security features integrated in the latest versions of PowerShell do not apply to v.2, which makes its use very attractive to adversaries; PowerShell v.2 can be used for lateral movement and persistence techniques with the same functionality. PowerShell v.2’s extra value is that because it does not have native logging capabilities, it remains undetected and offers stealth in attacker operations.

On Windows Server, the following will return an InstallState of either Installed or Removed:

Get-WindowsFeature PowerShell-V2

5. Just Enough Administration – JEA

This is included with the latest update of Windows Management Framework 5.0 and 5.1, and is a security technology that helps organizations enforce information security by restricting IT administrative rights. JEA provides a practical, role-based approach to set up and automate restrictions for IT personnel, and reduces the risks associated with providing users with full administrative rights following the principle of least privilege.

JEA is implemented as a Windows PowerShell session endpoint (it requires PS remoting to be enabled), which includes a PowerShell Session Configuration file and one or more Role Capability files.

PowerShell Session Configuration file. This file is used to specify who can connect to an endpoint. Users and security groups can be mapped to specific management roles. Those files are specific to each machine, so an access control per machine is available. They contain information of what will be the name of the JEA endpoint, which roles will be assigned and of course who will have access to this endpoint. These files are PowerShell data files ending in a .pssc extension (https://docs.microsoft.com/en-us/powershell/jea/session-configurations).

Finally, another significant benefit of JEA is the actionable logging and reporting which is available in the Windows event log format, since all operations performed through the JEA endpoint can be recorded (with transcripts and logs) and show who accessed the environment and when, and what changes were made.

6. Scripts Code Signing

If PowerShell scripts are used in an enterprise environment, code signing is another control that improves security posture, by ensuring authenticity and integrity. This feature, along with a defined Execution Policy or Group Policy as “AllSigned” or “RemoteSigned”, will permit only digitally signed scripts to run. However we have to consider that several attacks in the past used malicious files digitally signed so this control just adds another security layer since it can be bypassed.

POWERSHELL DETECTION EVASION TECHNIQUES

Because PowerShell is being monitored more and more by the day, adversaries have come up with techniques that evade detection, including:

These are just indicative techniques; further analysis is not within the scope of this document, however “Logging PowerShell Activity” best practices will detect most of them.

CONCLUSION – SECURING POWERSHELL IS NOT STRAIGHTFORWARD

The most significant recommendation, after reviewing most of the known attack techniques used recently, is upgrading to Windows 10 and PowerShell v.5 with all security features enabled and removing PowerShell v.2 as well. However, this is not easily feasible for most enterprise environments; of equal priority are activating embedded security features and extensive logging focused on specific indicators commonly used for attacking techniques.

Previous Video

3 Steps to Protect Your Organization From Digital Risks Across the Open Deep and Dark Web

In this live webinar with Forrester Research's Nick Hayes and Digital Shadows' Rick Holland, you will learn...